An average 37 percent of drivers are reluctant to use connected-car services due to privacy concerns, according to the 2014 Connected Car Consumer Survey by McKinsey & Company. That’s no surprise considering that connected cars are part of today’s quickly expanding Internet of Things (IoT), making them just as vulnerable to cyber crime as any computer with a web connection. Criminals may target any number of vehicle systems and networks, from Bluetooth and USB ports to infotainment interfaces and in-car apps.
To allay customer concerns, here’s what OEMs need to know about IoT security for connected cars:
From the get-go, OEMs should introduce clear privacy rules to protect both the connected-car driver and the data the car collects. Customers should know how the data is being used -- especially since transmission of that data isn’t necessarily a choice. In a connected car, a consumer can’t really “turn off” the information flow within their vehicle.
A January 2015 Federal Trade Commission (FTC) report on IoT recommends that companies adopt data minimization practices, meaning they should limit the information they collect and retain it for a limited time only. In connected cars, this information may include technical data related to the functioning of the vehicle, or Event Data Recorder (EDR) data. Of course, automakers should still consider acquiring customer consent before retrieving such data.
In the case of personal data related to infotainment and subscriptions, customers can typically retain some control by wisely selecting the type of data they choose to enter via their in-vehicle systems (e.g., music, contact lists, name, address).
Related to the issue of data privacy is the question of data ownership. OEMs need to ensure customers understand who owns the data their cars collect. Does the automaker own it? Does the customer own it? If the customer sells the car, does the data stay with that person, or does it go with the vehicle and its new owner?
In a 2014 InformationWeek column, security software firm Chief Marketing Officer Judith Bitterli explains, "If I bought the car, my assumption would be that I own that data. And in the tech world, you have to ask permission from the user before you use that data.”
For connected cars, data ownership rules are still unclear. And until a factory-default “data reset button” is introduced, OEMs are left to sort data ownership out for themselves.
Risks to the Vehicle
In a connected car, data isn’t the only thing at stake. According to the McKinsey & Company survey, 54 percent of drivers are afraid criminals can manipulate their car if it’s connected to the web. Could burglars determine a vehicle’s location by hacking the GPS? Could malicious individuals hack into vehicle-to-vehicle communication networks and cause traffic jams or crashes? While these may be unprecedented scenarios, they certainly demonstrate the importance of IoT security for the connected car.
According to a 2014 IBM Institute for Business Value report on Cyber Assurance for Next-Generation Vehicles, OEMs can minimize these risks by focusing on three areas: Designing secure cars; creating safe, encrypted networks; and “hardening” their vehicles to prevent remote hacking.
Best Practices and Standards
True security demands a tested, standards-based approach. In its 2015 report on IoT, the FTC urges all companies developing IoT products to follow best practices related to cybersecurity defense. For OEMs developing connected cars, which access networks for everything from transmitting sensor data to downloading software updates, this is especially relevant.
Fortunately, the auto industry is already a step ahead in coming up with vehicle-specific privacy standards. Twenty-three major automakers have agreed to abide by the Auto Alliance’s Privacy Principles for Vehicle Technologies and Services, which are among the first industry standards to address consumer concerns about what data we collect, how we use it, and when/why that data is shared.
To assure consumers their connected cars are safe to use, it’s imperative for every connected-car OEM and Tier 1 supplier to adhere to principles like these. Taking steps to keep unauthorized users from accessing your customers’ cars or collected data is simply good business.
And one day, it may even be the law. Some senators have introduced legislation mandating security and privacy measures for IoT, and specifically for the data collected by connected cars.
Topics: Connected Car - Security